From d7f672d1413040d2ea850ecb32644150da2e10db Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Sat, 4 Mar 2023 02:33:51 -0300 Subject: [PATCH] CI: define read-only permission for GitHub Workflow (#1175) It secures the repo against erroneous or malicious actions from external jobs you call from your workflow. It's specially important for the case they get compromised, for example. --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 581c559..cf06817 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,6 +5,7 @@ on: pull_request: branches: [ master ] workflow_dispatch: +permissions: read-all jobs: cmake-build: strategy: